EP2310974B1 - Intelligente hashes für zentralisierte schadsoftware-detektion - Google Patents
Intelligente hashes für zentralisierte schadsoftware-detektion Download PDFInfo
- Publication number
- EP2310974B1 EP2310974B1 EP09767304.0A EP09767304A EP2310974B1 EP 2310974 B1 EP2310974 B1 EP 2310974B1 EP 09767304 A EP09767304 A EP 09767304A EP 2310974 B1 EP2310974 B1 EP 2310974B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- entity
- intelligent
- subsequences
- hash
- malware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title description 15
- 238000011156 evaluation Methods 0.000 claims description 41
- 238000000034 method Methods 0.000 claims description 25
- 238000004891 communication Methods 0.000 claims description 8
- 230000009466 transformation Effects 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims 1
- 230000006835 compression Effects 0.000 description 9
- 238000007906 compression Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 102000054765 polymorphisms of proteins Human genes 0.000 description 6
- 230000006837 decompression Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 238000000844 transformation Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002730 additional effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000008867 communication pathway Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000005067 remediation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Definitions
- This invention pertains in general to computer security and in particular to the identification of malware using intelligent hashes.
- malware malicious software
- Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites.
- Modem malware is often designed to provide financial gain to the attacker.
- malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers.
- the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
- Some security computer systems and software for counteracting malware operate by seeking to identify characteristics of malware that are used to determine whether an entity such as a computer file or a software application contains malware.
- a hash value herein referred to as a "hash” is a value generated by applying a transform such as a cryptographic hash function to an entity such as a malware program.
- a hash value forms a unique representation or "fingerprint" of the malware program which can then be used as a characteristic to identify the program.
- Common transforms for generating hashes include MD5 and SHA-1.
- Cryptographic hash functions are sensitive to small changes in the data (i.e. polymorphisms). Therefore, two similar entities such as variants of the same malware program (i.e. polymorphic malware) may have very different hashes. In this way, hashes are specific to the entity they are generated from. This specificity often causes false negative identifications of polymorphic malware as the data used to generate a hash for one variant of a malware program may be subject to the polymorphisms.
- hashes of an entity are used in identifying whether or not the entity is malware.
- the number of different malware entities a client can be exposed to continues to increase over time, the number of hashes used to determine whether an entity is malware has grown proportionally.
- Using a large set of hashes can create inefficiency in scanning an entity such as a software application or file to detect the presence of malware.
- WO 2007/117567 A2 concerns a system and method for detecting malware on a limited access mobile platform in a mobile network.
- the system and method uses one or more feature sets that describe various non-executable portions of malware-infected and malware-free applications, and compares a application on the limited access mobile platform to the features sets.
- a match of the features in a suspect application to one of the feature sets provides an indication as to whether the suspect application is malware-infected or malware-free.
- One aspect provides a method according to claim 1.
- Another aspect provides a computer system according to claim 8.
- FIG. 1 is a high-level block diagram of a computing environment 100 according to one embodiment.
- FIG. 1 illustrates a security server 110 and three clients 150 connected by a network 114. Only three clients 150 are shown in FIG. 1 in order to simplify and clarify the description.
- Embodiments of the computing environment 100 can have thousands or millions of clients 150 connected to the network 114.
- the security server 110 interacts with the clients 150 via the network 114.
- the security server 110 includes an intelligent hash database 174 storing intelligent hashes used to detect malware.
- An "intelligent hash” is generated by identifying metadata associated with an entity, such as a file or a software application, that is both unique to the entity (i.e. specific) and largely invariant over small changes to the entity such as polymorphisms (i.e. robust). These metadata can either be extracted from the entity or generated using transformations or functions.
- the intelligent hashes generated from two entities which are variants of the same entity will reflect that similarity.
- the polymorphisms between the two variants of the same entity may result in differences in some of the metadata represented in the intelligent hashes for the two variants of the same entity.
- the majority of the metadata will remain the same reflecting the similarity between the two variants of the same entity.
- the security server 110 generates intelligent hashes for a comprehensive set of known malware threats and stores the intelligent hashes in the intelligent hash database 174.
- the security server 110 uses the intelligent hash database 174 to evaluate whether intelligent hashes generated at clients 150 correspond to intelligent hashes in the intelligent hash database 174.
- the client 150 Upon identification of a suspicious entity such as an unknown entity or an entity that is suspected to be malware, the client 150 generates an intelligent hash of the suspicious entity, herein referred to as a "suspicious entity hash".
- the client 150 transmits the suspicious entity hash to the security server 110 for evaluation.
- the security server 110 evaluates the intelligent hash by comparing it to the intelligent hashes in the database 174 to determine whether the suspicious entity hash is the same or similar to the intelligent hashes in the intelligent hash database 174.
- the security server 110 reports the results of the evaluation back to the client 150.
- a client 150 is a computer used by one or more users to perform activities including downloading, installing, and/or executing software entities.
- the client 150 can be a personal computer executing a web browser such as MICROSOFT INTERNET EXPLORER that allows the user to retrieve and display content from web servers and other computers on the network 114.
- the client 150 is a network-capable device other than a computer, such as a personal digital assistant (PDA), a mobile telephone, a pager, a television "set-top box," etc.
- PDA personal digital assistant
- client also includes computers such as servers and gateways that encounter software entities or other entities that might constitute malware or other threats.
- a client 150 can be a network gateway located between an enterprise network and the Internet.
- intelligent hash database 174 and other information stored at the security server 110 to evaluate suspicious entity hashes provides a mechanism for centralizing the evaluation of suspicious entities, while still providing for comprehensive client-side malware detection.
- This approach leverages the processing power of the security server 110 to generate the intelligent hash database 174 and evaluate intelligent hashes received from the clients 150.
- the approach is well-suited to computing environments where it is not practical or desirable to transmit intelligent hash databases 174 to the clients 150.
- intelligent hashes allows for detection of malware entities that have been modified to contain polymorphisms, thus providing a decreased number of false negative evaluations of malware and eliminating the need to produce multiple hashes for each entity.
- This "intelligent" detection further allows for the determination of a similarity value between two intelligent hashes.
- This similarity value can be a continuous or percentage-based value which provides a user with the ability to quantify a degree of similarity between two entities, as opposed to traditional hash methods which only provide binary identification. For example, a user may be able to quantify that two intelligent hashes have 90% similarity based on a similarity value which specifies a percentage of matching metadata between the two hashes.
- the network 114 represents the communication pathways between the security server 110 and clients 150.
- the network 114 is the Internet.
- the network 114 can also utilize dedicated or private communications links that are not necessarily part of the Internet.
- the network 114 uses standard communications technologies and/or protocols.
- the network 114 can include links using technologies such as Ethernet, 802.11, integrated services digital network (ISDN), digital subscriber line (DSL), asynchronous transfer mode (ATM), etc.
- the networking protocols used on the network 114 can include the transmission control protocol/Internet protocol (TCP/IP), the hypertext transport protocol (HTTP), the simple mail transfer protocol (SMTP), the file transfer protocol (FTP), etc.
- the data exchanged over the network 114 can be represented using technologies and/or formats including the hypertext markup language (HTML), the extensible markup language (XML), etc.
- HTML hypertext markup language
- XML extensible markup language
- all or some of links can be encrypted using conventional encryption technologies such as the secure sockets layer (SSL), Secure HTTP and/or virtual private networks (VPNs).
- SSL secure sockets layer
- VPNs virtual private networks
- the entities can use custom and/or dedicated data communications technologies instead of, or in addition to, the ones described above.
- FIG. 2 is a high-level block diagram illustrating a typical computer 200 for use as a security server 110 or client 150. Illustrated are a processor 202 coupled to a bus 204. Also coupled to the bus 204 are a memory 206, a storage device 208, a keyboard 210, a graphics adapter 212, a pointing device 214, and a network adapter 216. A display 218 is coupled to the graphics adapter 212.
- the processor 202 may be any general-purpose processor such as an INTEL x86 compatible-CPU.
- the storage device 208 is, in one embodiment, a hard disk drive but can also be any other device capable of storing data, such as a writeable compact disk (CD) or DVD, or a solid-state memory device.
- the memory 206 may be, for example, firmware, read-only memory (ROM), non-volatile random access memory (NVRAM), and/or RAM, and holds instructions and data used by the processor 202.
- the pointing device 214 may be a mouse, track ball, or other type of pointing device, and is used in combination with the keyboard 210 to input data into the computer 200.
- the graphics adapter 212 displays images and other information on the display 218.
- the network adapter 216 couples the computer 200 to the network 114.
- the computer 200 is adapted to execute computer program modules.
- module refers to computer program logic and/or data for providing the specified functionality.
- a module can be implemented in hardware, firmware, and/or software.
- the modules are stored on the storage device 208, loaded into the memory 206, and executed by the processor 202.
- the types of computers 200 utilized by the entities of FIG. 1 can vary depending upon the embodiment and the processing power utilized by the entity.
- a client 150 that is a mobile telephone typically has limited processing power, a small display 218, and might lack a pointing device 214.
- the security server 110 may comprise multiple blade servers working together to provide the functionality described herein.
- FIG. 3 is a high-level block diagram illustrating a detailed view of the security server 110 according to one embodiment.
- the security server 110 includes several modules. Those of skill in the art will recognize that other embodiments can have different and/or other modules than the ones described here, and that the functionalities can be distributed among the modules in a different manner. In addition, the functions ascribed to the security server 110 can be performed by multiple servers.
- An evaluation reporting module 352 communicates with the clients 150 via the network 114.
- the evaluation reporting module 352 receives suspicious entity hashes from the clients 150.
- the evaluation reporting module 352 communicates with the suspicious entity hash evaluation module 342 to receive results of evaluations of the suspicious entity hashes.
- the evaluation reporting module 352 further provides the results of evaluations of the suspicious entity hashes to the clients 150.
- the intelligent hash generation module 312 analyzes entities such as software applications to identify metadata associated with the entities and generate intelligent hashes based on the identified metadata.
- the intelligent hash generation module 312 generates intelligent hashes based on different types of metadata derived from the entity including: compression information, a set of frequently occurring metalanguage subsequences and a set of unique strings.
- the intelligent hash generation module 312 generates intelligent hashes based on additional metadata or other information associated with or derived from the entity.
- the intelligent hash generation module 312 generates compression information for an entity including information specifying one or more algorithms used to compress the entity, herein referred to as "packers". This compression information helps to identify malware threats, as some malware entities (or families of malware entities) are compressed with the same packer(s).
- the intelligent hash generation module 312 attempts to decompress the entity by applying a set of known decompression algorithms 303 to the entity. If the intelligent hash generation module 312 is successful in decompressing the entity, compression information for the entity includes the packer that was used to successfully decompress the entity. If the intelligent hash generation module 312 fails to decompress the entity, compression information for the entity includes an indicator that the packer is unknown.
- the compression information generated by the intelligent hash generation module 312 can also include: the size of the entity before and after decompression, whether an emulator or a packer was used to compress the entity and the size of a set of a set of data appended to the entity.
- the intelligent hash generation module 312 further generates metalanguage instructions based on the entity.
- Metalanguage instructions are instructions which are generated based on a transformation of the program code of the entity.
- the intelligent hash generation module 312 generates a sequence of metalanguage instructions based on the entity.
- the metalanguage instructions generated by the intelligent hash module 312 can range from high level transformations such as pseudo-code instructions to assembly language instructions.
- the intelligent hash generation module 312 further determines information based on the metalanguage instructions such as the frequency of each type of instruction.
- the intelligent hash generation module 312 determines a set of subsequences of assembly instructions that frequently occur within the entity.
- the intelligent hash generation module 312 comprises one or more disassembler programs 309 which convert the entity into a sequence of assembly language instructions. Each instruction in the sequence is herein referred to as an operation code. Suitable disassembler programs can include but are not limited to: the Interactive Disassembler (IDAPro), Sourcer and BDASM. Based on this conversion, the intelligent hash generation module 312 identifies metadata including: the total number of instructions within the sequence of assembly language instructions, the number of blocks of operation codes in the sequence of assembly language instructions, the median number of operation codes per block and cross reference information contained within the sequence of assembly language instructions.
- the intelligent hash generation module 312 analyzes the sequence of metalanguage instructions in order to determine a set of the most frequently occurring subsequences of the sequence of metalanguage instructions.
- the number of instructions in each subsequence of the set will be a fixed size (e.g. 5 instructions). This fixed size can range from 1-50 instructions. In a specific embodiment, the number of instructions in each subsequence will range from 5 to 10 instructions.
- the intelligent hash generation module 312 determines the frequency at which each subsequence occurs in the sequence of metalanguage instructions.
- the intelligent hash generation module 312 uses a sliding window method to enumerate the frequency at which each subsequence occurs within the sequence of metalanguage instructions.
- a sliding window method a window of a fixed size n is advanced by one instruction or operation code over the sequence to enumerate the number of times each subsequence of length n occurs.
- Other methods of enumerating a frequency for each subsequence include string matching algorithms and construction of lookup tables.
- the intelligent hash generation module 312 selects a set of subsequences that occur most frequently in the sequence of metalanguage instructions for inclusion in the intelligent hash. According to the embodiment and the length of the subsequences, this set of subsequences may range from a single subsequence to several subsequences. Typically, the set will range from 5-15 subsequences. In one embodiment, the intelligent hash generation module 312 selects the set of subsequences which have the highest frequency of occurrence. In other embodiments, the intelligent hash generation module 312 may filter out subsequences of metalanguage instructions that occur with very high frequencies over a large set of entities including entities that are not malware (i.e. are non-informative) before selecting the set of subsequences which have the highest frequency of occurrence.
- the intelligent hash generation module 312 further identifies unique strings based on the entity. These unique strings represent information the entity uses to communicate with networks, computer programs and computer systems. These strings can be useful for characterizing the entity based on its communications. Unique strings can include names of libraries or modules the entity communicates with, names of files the entity communicates with, uniform resource locators, internet protocol addresses, email addresses and global unique identifiers (GUIDs) such as class identifiers (CLSIDs)
- the intelligent hash generation module 312 identifies unique strings based on structured information such as: extensions indicating libraries or modules the entity communicates with (e.g...dll extensions indicating communications with dynamic link libraries), other file extensions indicating names of files the entity communicates with (e.g. .avi), information indicating uniform resource locators, information indicating internet protocol addresses, information indicating email addresses and information indicating global unique identifiers.
- extensions indicating libraries or modules the entity communicates with e.g..dll extensions indicating communications with dynamic link libraries
- other file extensions indicating names of files the entity communicates with e.g. .avi
- information indicating uniform resource locators indicating internet protocol addresses
- information indicating email addresses indicating global unique identifiers.
- the intelligent hash generation module 312 identifies the unique strings using regular expressions designed to identify the structured information.
- the intelligent hash generation module 312 selects a set of unique strings for inclusion in the intelligent hash. In some embodiments, the intelligent hash generation module 312 selects all of the unique strings for inclusion in the intelligent hash. In other embodiments, the intelligent hash generation module 312 may limit the number of unique strings based on a fixed size of the intelligent hash (e.g. 750 bytes). Additionally, the unique strings may be filtered or weighted based on unique strings that frequently occur in malware and innocuous entities (i.e. entities that are not malware). In a specific embodiment, a set of frequently occurring strings are generated based on a corpus of innocuous entities and the unique strings are filtered using the set of frequently occurring strings. In some embodiments, the unique strings are given a score which is inversely proportional to their frequency of occurrence over a large set of malware and/or innocuous entities.
- the intelligent hash generation module 312 generates the intelligent hashes based on the metadata.
- the intelligent hash generation module 312 may combine and represent the metadata for the entity in any way to generate the intelligent hashes.
- the intelligent hash will be represented as a string of alphanumeric data.
- the intelligent hash generation module 312 generates intelligent hashes that include numeric values such scores, probability values or frequencies associated with the metadata.
- the intelligent hash generation module 312 generates the intelligent hashes including the set of most frequently occurring subsequences in association with each subsequence's frequency of occurrence.
- the intelligent hash generation module 312 includes a set of weights or frequency values associated with the set of unique strings.
- the hash generation module 312 represents the intelligent hash as an alphanumeric string such as:
- the first type of metadata in the intelligent hash is the size of entity in bytes before decompression.
- the second type of metadata in the intelligent hash describes the packer(s) used to compress the entity. In this example, the 'w' is used to indicate that an emulator has been used in place of a traditional compression algorithm.
- the third type of metadata in the intelligent hash is the size of the entity after decompression.
- the fourth type of metadata in the intelligent hash is the size of data that has been appended to the file.
- the fifth type of metadata in the intelligent hash includes the total instruction count of the sequence of assembly language instructions (indicated by 'I'), the number of blocks in the sequence of assembly language instructions (indicated by 'B'), the median number of instructions in each block (indicated by 'M') and the number of cross references (indicated by 'X').
- the seventh type of metadata in the intelligent hash represents the 10 most frequently occurring subsequences of assembly language instructions and their respective frequencies of occurrence in the sequence of assembly language instructions.
- the eighth type of metadata in the intelligent hash represents the number of unique strings identified based on the entity.
- the ninth type of metadata in the intelligent hash represents the identified unique strings.
- the intelligent hash database 174 stores a set of intelligent hashes generated based on a comprehensive set of known malware entities.
- the intelligent hash database 174 stores the set of intelligent hashes in association with the entities the hashes represent. In some embodiments, the intelligent hash database 174 stores also stores intelligent hashes generated based on entities that are not malware (i.e. innocuous entities).
- a suspicious entity hash evaluation module 342 evaluates suspicious entity hashes reported by the clients 150 to determine whether they represent entities that are malware.
- the suspicious entity hash evaluation module 342 compares the suspicious entity hash with the hashes in the intelligent hash database 174 to determine whether the entity hash is the same or similar to an intelligent hash in the intelligent hash database 174.
- the suspicious entity hash evaluation module 342 generates a similarity score when comparing two intelligent hashes such as the suspicious entity hash and a hash in the intelligent hash database 174.
- the similarity score may be a binary score indicating whether or not the hashes are similar or a continuous numeric score indicating a range of similarity values such as a percentage similarity.
- the suspicious entity hash evaluation module 342 generates the similarity score based on the metadata within the two intelligent hashes.
- the suspicious entity hash evaluation module 342 generates a similarity score based on a function which provides a single comparison of all the metadata such as a Euclidean distance function or a cosine distance function.
- the suspicious entity hash evaluation module 342 generates the similarity score based on a series of comparisons of different types of metadata such as a decision tree algorithm. In some embodiments, the suspicious entity hash evaluation module 342 may use machine learning methods such as neural networks or boosting to generate similarity scores.
- the suspicious entity hash evaluation module 342 generates the similarity scores through a pre-determined sequence of comparisons of different types of metadata values. In this embodiment, the suspicious entity hash evaluation module 342 compares in order: the sets of most frequently occurring assembly language subsequences, the frequencies of the sets most frequently occurring assembly language subsequences indicated in the two intelligent hashes, the packer(s) indicated in the intelligent hashes and the unique strings indicated in the intelligent hashes. In one embodiment, the suspicious entity hash evaluation module 342 uses threshold values to determine whether to proceed to the next step in the comparison. For instance, the suspicious entity hash evaluation module 342 may determine that two hashes are not similar based on the set of most frequently occurring assembly language subsequences having less than 80% agreement.
- the suspicious entity hash evaluation module 342 determines the intelligent hash with highest similar score and the entity associated with the intelligent hash in the intelligent hash database 174.
- the suspicious entity hash evaluation module 342 communicates the results of the evaluation to the evaluation reporting module 352, the results including: the entity associated with the highest scoring intelligent hash, whether the highest similarity score is above the similarity cutoff value and whether the entity associated with the highest scoring intelligent hash is a malware entity or an innocuous entity.
- the suspicious entity hash evaluation module 342 may report the results of an evaluation to an administrator of the security server 110 for further evaluation.
- FIG. 4 is a high-level block diagram illustrating a detailed view of the security module 116 of a client 150 according to one embodiment.
- the security module 116 is incorporated into an operating system executing on the client 150 while in other embodiments the security module 116 is a standalone entity or part of another product.
- the security module 116 includes multiple modules. Those of skill in the art will recognize that other embodiments of the security module 116 can have different and/or other modules than the ones described here, and that the functionalities can be distributed among the modules in a different manner.
- a suspicious entity detection module 450 detects suspicious entities.
- the suspicious entity detection module 450 scans the storage device 208 or memory 206 associated with the client 150 to detect suspicious entities installed or stored on the storage device 208 or memory 206.
- the suspicious entity detection module 450 can detect suspicious entities only when an entity is accessed or executed by a user.
- the suspicious entity detection module 450 can detect suspicious entities using different methods.
- the suspicious entity detection module 450 can identify that the entity is unknown by accessing a list of entities that have been previously evaluated or otherwise determined to be innocuous.
- the suspicious entity detection module 450 can scan the client 150 using a set of malware signatures or hashes to detect suspicious entities.
- the suspicious entity detection module 450 monitors the behaviors of the entities on the client 150 to determine whether any of the behaviors satisfy behaviors specified in a set of malware signatures.
- an embodiment of the suspicious entity detection module 450 quarantines the suspicious entity to prevent the entity from damaging the client 150.
- the suspicious entity may be quarantined, for example, by configuring the client 150 to prohibit execution of it and/or taking another action to prevent any malicious code in the suspicious entity from causing harm.
- the suspicious entity hash generation module 470 functions to generate intelligent hashes for the suspicious entities (i.e. suspicious entity hashes).
- the suspicious entity hash generation module 470 generates suspicious entity hashes that include metadata derived according to the methods outlined above in reference to the intelligent hash generation module 312.
- the suspicious entity hash generation module 470 communicates the generated suspicious entity hashes to the suspicious entity hash reporting module 460.
- the suspicious entity hash reporting module 460 communicates with the security server 110 via the network 114.
- the suspicious entity hash reporting module 460 reports suspicious entity hashes to the security server 110.
- the suspicious entity hash reporting module 460 receives results of the suspicious entity hash evaluations from the security server 110.
- the results of the suspicious entity hash evaluations include: the entity associated with the highest scoring intelligent hash, whether the highest similarity score is above the similarity cutoff value and whether the entity associated with the highest scoring intelligent hash is a malware entity or an innocuous entity. If the evaluation indicates that a signature detection event is not malware (i.e.
- the suspicious entity hash reporting module 460 communicates instructions to the suspicious entity detection module 450 to suppress (e.g., to ignore) the signature detection event.
- the suspicious entity hash reporting module 460 will release the entity from quarantine and/or undo other actions performed when the entity was declared suspicious.
- the suspicious entity hash reporting module 460 remediates the client 150, for example, by removing the suspicious entity and/or repairing corrupted entities on the client 150.
- the suspicious entity hash reporting module 460 may perform additional actions, such as alerting a user of the client 150 and logging the suspicious entity.
- FIG. 5 is a flowchart illustrating steps performed by the security server 110 to generate intelligent hashes according to one embodiment. Other embodiments perform the illustrated steps in different orders, and/or perform different or additional steps. Moreover, some of the steps can be performed by engines or modules other than the security server 110.
- the security server 110 identifies 512 an entity such as software application or a file.
- the security server 110 generates 514 compression information for the entity by applying a set of decompression algorithms 303 to the entity.
- the security server 110 generates 516 a sequence of assembly language instructions by applying one or more dissembler algorithms 309 to the entity.
- the security server 110 determines 518 a set of most frequently occurring subsequences of the sequence of assembly language instructions.
- the security server 110 identifies 520 a set of unique stings based on the entity.
- the security server 110 generates 522 an intelligent hash for the entity based on the compression information, the set of frequently occurring subsequences of assembly language instructions and the set of unique strings.
- FIG. 6 is a flowchart illustrating steps performed by the security server 110 to provide evaluations of suspicious entity hashes to a client 150 according to one embodiment. Other embodiments perform the illustrated steps in different orders, and/or perform different or additional steps. Moreover, some of the steps can be performed by engines or modules other than the security server 110.
- the security server 110 generates 612 an intelligent hash database 174.
- the security server 110 receives 614 a suspicious entity hash from a client 150.
- the security server 110 evaluates 616 whether the suspicious entity hash corresponds to a hash in the intelligent hash database 174.
- the security server 110 provides 618 the results of this evaluation to the client 150.
- FIG. 7 is a flowchart illustrating steps performed by the security module 116 on the client 150 to detect and evaluate suspicious entities according to one embodiment. Other embodiments perform the illustrated steps in different orders, and/or perform different or additional steps. Moreover, some of the steps can be performed by engines or modules other than the security module 116.
- the security module 116 identifies 712 a suspicious entity.
- the security module 116 generates 714 a suspicious entity hash.
- the security module 116 transmits 616 the suspicious entity hash to the security server 110.
- the security module 116 receives 618 an evaluation of the suspicious entity hash from the security server 110, the evaluation indicating whether the suspicious entity hash has a high similarity to an intelligent hash for a malware entity or an innocuous entity. If 720 the evaluation indicates that the suspicious entity is innocuous or not similar to known malware, the security module 116 continues to identify 712 suspicious entities. If 720 the evaluation indicates that the suspicious entity is malware, the security module 116 performs 724 a remediation of the client 150, such as removing the suspicious entity from the client.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Claims (14)
- Verfahren zum Erzeugen eines intelligenten Hashs für eine Entität, wobei das Verfahren Folgendes umfasst:Erzeugen (516) einer Sequenz von Metasprachanweisungen basierend auf einer Transformation des Programmcodes der Entität;Bestimmen einer Vielzahl von Frequenzwerten für eine Vielzahl von Teilsequenzen der Sequenz von Metasprachanweisungen, wobei eine Teilsequenz eine Vielzahl von sequentiellen Metasprachanweisungen enthält, wobei ein Frequenzwert eine Frequenz anzeigt, bei der eine assoziierte Teilsequenz in der Sequenz von Metasprachanweisungen basierend auf der Transformation des Programmcodes der Entität auftritt;Auswählen eines Satzes von Teilsequenzen aus der Vielzahl von Teilsequenzen, basierend mindestens teilweise auf der Vielzahl von Frequenzwerten, wobei das Auswählen einen Satz von Teilsequenzen auswählt, die eine höchste Häufigkeit des Auftretens aufweisen, wobei das Auswählen des Satzes von Teilsequenzen weiter Folgendes umfasst:Ausfiltern von Teilsequenzen von Metasprachenanweisungen, die mit sehr hohen Frequenzen auf einem großen Satz von Entitäten auftreten, vor dem Auswählen des Satzes von Teilsequenzen, die die höchste Frequenz des Auftretens aufweisen;Erzeugen (522) des intelligenten Hashs für die Entität basierend mindestens teilweise auf dem ausgewählten Satz von Teilsequenzen; undSpeichern des intelligenten Hashs in einer Speichervorrichtung.
- Verfahren nach Anspruch 1, wobei die Frequenzwerte der ausgewählten Teilsequenzen anzeigen, dass die Teilsequenzen mit hoher Frequenz in der Sequenz von Metasprachanweisungen auftreten.
- Verfahren nach Anspruch 1 oder 2, wobei das Erzeugen des intelligenten Hashs für die Entität weiter Folgendes umfasst:Identifizieren einer Technik, die verwendet wird, um die Entität zu komprimieren;Definieren von Information, die die Technik beschreibt, die verwendet wird, um die Entität zu komprimieren; undErzeugen des intelligenten Hashs für die Entität, basierend mindestens teilweise auf der Information, die die identifizierte Technik beschreibt.
- Verfahren nach einem der Ansprüche 1 bis 3, wobei das Erzeugen des intelligenten Hashs für die Entität weiter Folgendes umfasst:Identifizieren eines Satzes von einzigartigen Strängen, basierend auf der Entität;Definieren der Information, die den Satz von einzigartigen Strängen beschreibt; undErzeugen des intelligenten Hashs für die Entität, basierend mindestens teilweise auf Information, die den Satz von einzigartigen Strängen beschreibt.
- Verfahren nach Anspruch 4, wobei das Identifizieren des Satzes von einzigartigen Strängen basierend auf der Entität das Identifizieren eines Satzes von Strängen umfasst, die Kommunikationen zwischen der Entität und einem Computersystem anzeigen.
- Verfahren nach Anspruch 4, wobei das Identifizieren eines Satzes von einzigartigen Strängen basierend auf der Entität das Identifizieren eines Satzes von Strängen umfasst, die Kommunikationen anzeigen, die durch die Entität durch ein Netzwerk durchgeführt werden.
- Computer-lesbares Speichermedium, das ein oder mehrere Module zur Steuerung eines Computerprozessors speichert, um ein Verfahren wie in einem der Ansprüche 1 bis 6 definiert durchzuführen.
- Computersystem, um zu bestimmen, ob eine verdächtige Entität einer Malware-Entität entspricht, wobei das System Folgendes umfasst:Meldemittel (352), um einen intelligenten Hash zu erhalten, erzeugt basierend mindestens teilweise auf einem Satz von Teilsequenzen einer Sequenz von Metasprachanweisungen, erzeugt basierend auf einer Transformation eines Programmcodes einer verdächtigen Entität, die von einem Kunden (150) gefunden wurde, wobei die Teilsequenzen im Satz von Teilsequenzen eine Vielzahl von sequenziellen Metasprachanweisungen umfassen, der Satz von Teilsequenzen aus einer Vielzahl von Teilsequenzen der Sequenz von Metasprachanweisungen ausgewählt ist, basierend mindestens teilweise auf einer Vielzahl von Frequenzwerten, die Frequenzen angeben, bei denen assoziierte Teilsequenzen in der Sequenz von Matasprachanweisungen auftreten, wobei der ausgewählte Satz von Teilsequenzen eine höhste Frequenz des Auftretens aufweist, wobei Teilsequenzen von Metasprachanweisungen, die mit sehr hohen Frequenzen auf einem großen Satz von Entitäten auftreten, ausgefiltert werden, bevor der Satz von Teilsequenzen ausgewählt wird, die die höchste Frequenz des Auftretens aufweisen; undBewertungsmittel zur Bestimmung, ob die verdächtige Entität der Malware-Identitiät entspricht, basierend auf dem intelligenten Hash;wobei die Meldemittel weiter dazu dienen, dem Kunden zu melden, ob der intelligente Hash der Malware-Entität entspricht.
- Computersystem nach Anspruch 8, weiter umfassend:intelligente Hash-Datenbankmittel (174), um eine Vielzahl von intelligenten Hashs zu speichern; wobei die Bewertungsmittel weiter dazu dienen, um:eine Vielzahl von Ähnlichkeitspunkten zu erzeugen, basierend auf dem intelligenten Hash, erzeugt basierend auf der verdächtigen Entität und der Vielzahl von intelligenten Hashs, wobei ein Ähnlichkeitspunkt eine Ähnlichkeit zwischen dem intelligenten Hash, erzeugt basierend auf der verdächtigen Entität, und einem intelligenten Hash der Vielzahl von intelligenten Hashs angibt; undBestimmen, ob der Hash der verdächtige Entität der Malware-Entität entspricht, basierend auf einem intelligenten Hash, assoziiert mit dem höchsten Ähnlichkeitspunkt der Vielzahl von Ähnlichkeitspunkten.
- Computersystem nach Anspruch 8 oder 9, weiter umfassend:Mittel (312) zur Erzeugung von intelligenten Hashs, um einen intelligenten Hash basierend auf der Malware-Entität zu erzeugen.
- Computersystem nach Anspruch 10, wobei die Frequenzwerte der ausgewählten Teilsequenzen anzeigen, dass die Teilsequenzen mit hoher Frequenz in der Sequenz von Metasprachanweisungen basierend auf der Malware-Entität auftreten.
- Computersystem nach einem der Ansprüche 10 oder 11, wobei die Mittel zur Erzeugung von intelligenten Hashs (312) weiter dazu dienen, um:eine Technik zu identifizieren, die verwendet wird, um die Malware-Entität zu komprimieren;eine Information zu definieren, die die Technik beschreibt, die verwendet wird, um die Malware-Entität zu komprimieren; undden intelligenten Hash für die Malware-Entität zu erzeugen, basierend mindestens teilweise auf der Information, die die identifizierte Technik beschreibt.
- Computersystem nach einem der Ansprüche 10 bis 12, wobei die Mittel zur Erzeugung von intelligenten Hashs (312) weiter dazu dienen, um:einen Satz von einzigartigen Strängen basierend auf der Malware-Entität zu identifizieren;Information zu definieren, die den Satz von einzigartigen Strängen beschreibt; und
den intelligenten Hash für die Malware-Entität zu erzeugen, basierend mindestens teilweise auf Information, die den Satz von einzigartigen Strängen beschreibt. - Computersystem nach Anspruch 13, wobei das Identifizieren des Satzes von einzigartigen Strängen basierend auf der Malware-Entität das Identifizieren eines Satzes von Strängen umfasst, die Kommunikationen anzeigen, die von der Entität in einem gesamten Netz durchgeführt werden.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/128,490 US8732825B2 (en) | 2008-05-28 | 2008-05-28 | Intelligent hashes for centralized malware detection |
PCT/US2009/045319 WO2009154992A2 (en) | 2008-05-28 | 2009-05-27 | Intelligent hashes for centralized malware detection |
Publications (2)
Publication Number | Publication Date |
---|---|
EP2310974A2 EP2310974A2 (de) | 2011-04-20 |
EP2310974B1 true EP2310974B1 (de) | 2017-03-01 |
Family
ID=41323787
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP09767304.0A Active EP2310974B1 (de) | 2008-05-28 | 2009-05-27 | Intelligente hashes für zentralisierte schadsoftware-detektion |
Country Status (5)
Country | Link |
---|---|
US (1) | US8732825B2 (de) |
EP (1) | EP2310974B1 (de) |
JP (1) | JP5511097B2 (de) |
CN (1) | CN102047260B (de) |
WO (1) | WO2009154992A2 (de) |
Families Citing this family (225)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8375444B2 (en) | 2006-04-20 | 2013-02-12 | Fireeye, Inc. | Dynamic signature creation and enforcement |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8204984B1 (en) | 2004-04-01 | 2012-06-19 | Fireeye, Inc. | Systems and methods for detecting encrypted bot command and control communication channels |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US8539582B1 (en) | 2004-04-01 | 2013-09-17 | Fireeye, Inc. | Malware containment and security analysis on connection |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8561177B1 (en) | 2004-04-01 | 2013-10-15 | Fireeye, Inc. | Systems and methods for detecting communication channels of bots |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US9027135B1 (en) | 2004-04-01 | 2015-05-05 | Fireeye, Inc. | Prospective client identification using malware attack detection |
US8176477B2 (en) | 2007-09-14 | 2012-05-08 | International Business Machines Corporation | Method, system and program product for optimizing emulation of a suspected malware |
US10262136B1 (en) | 2008-08-04 | 2019-04-16 | Zscaler, Inc. | Cloud-based malware detection |
US8230510B1 (en) * | 2008-10-02 | 2012-07-24 | Trend Micro Incorporated | Scanning computer data for malicious codes using a remote server computer |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8850571B2 (en) * | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US20100199350A1 (en) * | 2009-02-04 | 2010-08-05 | Mark David Lilibridge | Federated Scanning of Multiple Computers |
US8769683B1 (en) * | 2009-07-07 | 2014-07-01 | Trend Micro Incorporated | Apparatus and methods for remote classification of unknown malware |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US8683216B2 (en) * | 2010-07-13 | 2014-03-25 | F-Secure Corporation | Identifying polymorphic malware |
JP2012083849A (ja) * | 2010-10-07 | 2012-04-26 | Hitachi Ltd | マルウェア検知装置、及びその方法とプログラム |
RU2444056C1 (ru) * | 2010-11-01 | 2012-02-27 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ ускорения решения проблем за счет накопления статистической информации |
US9218461B2 (en) * | 2010-12-01 | 2015-12-22 | Cisco Technology, Inc. | Method and apparatus for detecting malicious software through contextual convictions |
US9088601B2 (en) | 2010-12-01 | 2015-07-21 | Cisco Technology, Inc. | Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques |
AU2011336466C1 (en) * | 2010-12-01 | 2017-01-19 | Cisco Technology, Inc. | Detecting malicious software through contextual convictions, generic signatures and machine learning techniques |
US8266115B1 (en) * | 2011-01-14 | 2012-09-11 | Google Inc. | Identifying duplicate electronic content based on metadata |
JP5691539B2 (ja) * | 2011-01-17 | 2015-04-01 | 富士通株式会社 | 情報処理方法、プログラム、情報処理装置、及び、情報処理システム |
JP5687593B2 (ja) * | 2011-10-06 | 2015-03-18 | 日本電信電話株式会社 | 解析装置、解析方法および解析プログラム |
US9934229B2 (en) * | 2011-10-23 | 2018-04-03 | Microsoft Technology Licensing, Llc | Telemetry file hash and conflict detection |
US8584235B2 (en) * | 2011-11-02 | 2013-11-12 | Bitdefender IPR Management Ltd. | Fuzzy whitelisting anti-malware systems and methods |
SG11201402078XA (en) * | 2011-11-10 | 2014-09-26 | Securebrain Corp | Unauthorized application detection system and method |
US9519782B2 (en) | 2012-02-24 | 2016-12-13 | Fireeye, Inc. | Detecting malicious network content |
US20130227352A1 (en) * | 2012-02-24 | 2013-08-29 | Commvault Systems, Inc. | Log monitoring |
US8959640B2 (en) * | 2012-03-29 | 2015-02-17 | F-Secure Corporation | Controlling anti-virus software updates |
US8856930B2 (en) * | 2012-03-30 | 2014-10-07 | F-Secure Corporation | Download control |
CN103425928B (zh) * | 2012-05-17 | 2017-11-24 | 富泰华工业(深圳)有限公司 | 电子装置的杀毒系统及方法 |
US9111095B2 (en) | 2012-08-29 | 2015-08-18 | The Johns Hopkins University | Apparatus and method for identifying similarity via dynamic decimation of token sequence n-grams |
US9003529B2 (en) * | 2012-08-29 | 2015-04-07 | The Johns Hopkins University | Apparatus and method for identifying related code variants in binaries |
CN103778114B (zh) * | 2012-10-17 | 2016-03-09 | 腾讯科技(深圳)有限公司 | 文件修复系统和方法 |
CN103020287B (zh) * | 2012-11-20 | 2018-08-10 | 高剑青 | 基于部分哈希值对有限项目的排除 |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US10152591B2 (en) | 2013-02-10 | 2018-12-11 | Paypal, Inc. | Protecting against malware variants using reconstructed code of malware |
JP6176868B2 (ja) * | 2013-02-10 | 2017-08-09 | ペイパル・インク | 予測的なセキュリティ製品を提供し、既存のセキュリティ製品を評価する方法と製品 |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9159035B1 (en) | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9824209B1 (en) | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9009822B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9565202B1 (en) | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9251343B1 (en) | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
WO2014145805A1 (en) | 2013-03-15 | 2014-09-18 | Mandiant, Llc | System and method employing structured intelligence to verify and contain threats at endpoints |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9270467B1 (en) * | 2013-05-16 | 2016-02-23 | Symantec Corporation | Systems and methods for trust propagation of signed files across devices |
US9536091B2 (en) | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
EP2819054B1 (de) | 2013-06-28 | 2018-10-31 | AO Kaspersky Lab | Flexibler Fingerabdruck zur Erkennung von Schadprogrammen |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
RU2580036C2 (ru) | 2013-06-28 | 2016-04-10 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ создания гибкой свертки для обнаружения вредоносных программ |
US9888016B1 (en) | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9336389B1 (en) * | 2013-08-19 | 2016-05-10 | Amazon Technologies, Inc. | Rapid malware inspection of mobile applications |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10192052B1 (en) | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US10089461B1 (en) | 2013-09-30 | 2018-10-02 | Fireeye, Inc. | Page replacement code injection |
US8739287B1 (en) * | 2013-10-10 | 2014-05-27 | Kaspersky Lab Zao | Determining a security status of potentially malicious files |
US8863284B1 (en) | 2013-10-10 | 2014-10-14 | Kaspersky Lab Zao | System and method for determining a security status of potentially malicious files |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9189627B1 (en) | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
JP6326502B2 (ja) * | 2013-12-27 | 2018-05-16 | マカフィー, エルエルシー | 頻度に基づくレピュテーション |
US9292686B2 (en) | 2014-01-16 | 2016-03-22 | Fireeye, Inc. | Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9396332B2 (en) * | 2014-05-21 | 2016-07-19 | Microsoft Technology Licensing, Llc | Risk assessment modeling |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US9609005B2 (en) * | 2014-09-25 | 2017-03-28 | Mcafee, Inc. | Cross-view malware detection |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US9519780B1 (en) * | 2014-12-15 | 2016-12-13 | Symantec Corporation | Systems and methods for identifying malware |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US9639715B2 (en) | 2015-04-27 | 2017-05-02 | Microsoft Technology Licensing, Llc | Protecting user identifiable information in the transfer of telemetry data |
US10129291B2 (en) * | 2015-06-27 | 2018-11-13 | Mcafee, Llc | Anomaly detection to identify malware |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10200391B2 (en) | 2015-09-23 | 2019-02-05 | AVAST Software s.r.o. | Detection of malware in derived pattern space |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
RU2614561C1 (ru) * | 2015-12-18 | 2017-03-28 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ определения похожих файлов |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
WO2017131662A1 (en) * | 2016-01-27 | 2017-08-03 | Aruba Networks, Inc. | Preventing malware downloads |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10826933B1 (en) | 2016-03-31 | 2020-11-03 | Fireeye, Inc. | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
JP6786959B2 (ja) | 2016-08-26 | 2020-11-18 | 富士通株式会社 | サイバー攻撃分析支援プログラム、サイバー攻撃分析支援方法およびサイバー攻撃分析支援装置 |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10607004B2 (en) * | 2016-09-29 | 2020-03-31 | Intel Corporation | Methods and apparatus to improve feature engineering efficiency with metadata unit operations |
RU2628922C1 (ru) * | 2016-10-10 | 2017-08-22 | Акционерное общество "Лаборатория Касперского" | Способ определения похожести составных файлов |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10735462B2 (en) * | 2016-12-01 | 2020-08-04 | Kaminario Technologies Ltd. | Computer malware detection |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10848397B1 (en) | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10834099B2 (en) * | 2017-05-23 | 2020-11-10 | Juniper Networks, Inc. | Identifying a file using metadata and determining a security classification of the file before completing receipt of the file |
RU2673711C1 (ru) * | 2017-06-16 | 2018-11-29 | Акционерное общество "Лаборатория Касперского" | Способ обнаружения аномальных событий на основании набора сверток безопасных событий |
RU2651196C1 (ru) * | 2017-06-16 | 2018-04-18 | Акционерное общество "Лаборатория Касперского" | Способ обнаружения аномальных событий по популярности свертки события |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10594725B2 (en) | 2017-07-27 | 2020-03-17 | Cypress Semiconductor Corporation | Generating and analyzing network profile data |
CN107332863A (zh) * | 2017-08-16 | 2017-11-07 | 深信服科技股份有限公司 | 一种基于集中管理的主机的安全检测方法及系统 |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
WO2019088980A1 (en) * | 2017-10-30 | 2019-05-09 | Hewlett-Packard Development Company, L.P. | Regulating execution |
TWI621030B (zh) * | 2017-12-22 | 2018-04-11 | 中華電信股份有限公司 | 使用軟體認證鏈進行軟體認證的方法、系統、及電腦儲存媒體 |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
RU2706883C1 (ru) * | 2018-06-29 | 2019-11-21 | Акционерное общество "Лаборатория Касперского" | Система и способ снижения количества ложных срабатываний классифицирующих алгоритмов |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US10936718B2 (en) * | 2018-10-01 | 2021-03-02 | Blackberry Limited | Detecting security risks in binary software code |
US10984102B2 (en) * | 2018-10-01 | 2021-04-20 | Blackberry Limited | Determining security risks in binary software code |
US11347850B2 (en) | 2018-10-01 | 2022-05-31 | Blackberry Limited | Analyzing binary software code |
US11106791B2 (en) | 2018-10-01 | 2021-08-31 | Blackberry Limited | Determining security risks in binary software code based on network addresses |
US11017083B2 (en) | 2018-10-17 | 2021-05-25 | International Business Machines Corporation | Multiple phase graph partitioning for malware entity detection |
US10885170B1 (en) * | 2018-11-20 | 2021-01-05 | Apotheka Systems Inc. | Methods, systems, and storage media for managing patient information using a blockchain network |
US12074887B1 (en) | 2018-12-21 | 2024-08-27 | Musarubra Us Llc | System and method for selectively processing content after identification and removal of malicious content |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11100064B2 (en) | 2019-04-30 | 2021-08-24 | Commvault Systems, Inc. | Automated log-based remediation of an information management system |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US10621346B1 (en) | 2019-08-21 | 2020-04-14 | Netskope, Inc. | Efficient scanning for threat detection using in-doc markers |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11269991B2 (en) * | 2020-06-22 | 2022-03-08 | Bank Of America Corporation | System for identifying suspicious code in an isolated computing environment based on code characteristics |
US11880461B2 (en) | 2020-06-22 | 2024-01-23 | Bank Of America Corporation | Application interface based system for isolated access and analysis of suspicious code in a computing environment |
US11636203B2 (en) | 2020-06-22 | 2023-04-25 | Bank Of America Corporation | System for isolated access and analysis of suspicious code in a disposable computing environment |
US11797669B2 (en) | 2020-06-22 | 2023-10-24 | Bank Of America Corporation | System for isolated access and analysis of suspicious code in a computing environment |
US11574056B2 (en) * | 2020-06-26 | 2023-02-07 | Bank Of America Corporation | System for identifying suspicious code embedded in a file in an isolated computing environment |
CN118414616A (zh) * | 2021-12-17 | 2024-07-30 | 松下汽车电子系统株式会社 | 安全对策方法和安全对策系统 |
US11522885B1 (en) * | 2022-02-08 | 2022-12-06 | Uab 360 It | System and method for information gain for malware detection |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6505160B1 (en) * | 1995-07-27 | 2003-01-07 | Digimarc Corporation | Connected audio and other media objects |
GB2353372B (en) * | 1999-12-24 | 2001-08-22 | F Secure Oyj | Remote computer virus scanning |
US8121843B2 (en) * | 2000-05-02 | 2012-02-21 | Digimarc Corporation | Fingerprint methods and systems for media signals |
US20040064737A1 (en) * | 2000-06-19 | 2004-04-01 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses |
US20040073617A1 (en) * | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
US7114184B2 (en) * | 2001-03-30 | 2006-09-26 | Computer Associates Think, Inc. | System and method for restoring computer systems damaged by a malicious computer program |
KR100461984B1 (ko) * | 2001-10-06 | 2004-12-17 | 주식회사 테라스테크놀로지 | 바이러스 감염 클라이언트의 자발적 바이러스 치료를 유도하는 전자우편 메시지의 처리방법 |
US20040158741A1 (en) * | 2003-02-07 | 2004-08-12 | Peter Schneider | System and method for remote virus scanning in wireless networks |
GB2400197B (en) * | 2003-04-03 | 2006-04-12 | Messagelabs Ltd | System for and method of detecting malware in macros and executable scripts |
US7475427B2 (en) * | 2003-12-12 | 2009-01-06 | International Business Machines Corporation | Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network |
EP1632907B1 (de) * | 2004-08-24 | 2019-10-30 | Canon Kabushiki Kaisha | Datenverarbeitungssystem und Steuerungsverfahren dafür, Computerprogramm und computerlesbares Aufzeichnungsmedium |
US7636856B2 (en) * | 2004-12-06 | 2009-12-22 | Microsoft Corporation | Proactive computer malware protection through dynamic translation |
US8516583B2 (en) * | 2005-03-31 | 2013-08-20 | Microsoft Corporation | Aggregating the knowledge base of computer systems to proactively protect a computer from malware |
US8479174B2 (en) * | 2006-04-05 | 2013-07-02 | Prevx Limited | Method, computer program and computer for analyzing an executable computer file |
US8321941B2 (en) | 2006-04-06 | 2012-11-27 | Juniper Networks, Inc. | Malware modeling detection system and method for mobile platforms |
US8042184B1 (en) * | 2006-10-18 | 2011-10-18 | Kaspersky Lab, Zao | Rapid analysis of data stream for malware presence |
US20080244275A1 (en) * | 2007-03-30 | 2008-10-02 | Motorola, Inc. | Instruction Transform for the Prevention and Propagation of Unauthorized Code Injection |
US7854002B2 (en) * | 2007-04-30 | 2010-12-14 | Microsoft Corporation | Pattern matching for spyware detection |
US20100011441A1 (en) * | 2007-05-01 | 2010-01-14 | Mihai Christodorescu | System for malware normalization and detection |
US20090313700A1 (en) * | 2008-06-11 | 2009-12-17 | Jefferson Horne | Method and system for generating malware definitions using a comparison of normalized assembly code |
US8584235B2 (en) * | 2011-11-02 | 2013-11-12 | Bitdefender IPR Management Ltd. | Fuzzy whitelisting anti-malware systems and methods |
-
2008
- 2008-05-28 US US12/128,490 patent/US8732825B2/en active Active
-
2009
- 2009-05-27 EP EP09767304.0A patent/EP2310974B1/de active Active
- 2009-05-27 WO PCT/US2009/045319 patent/WO2009154992A2/en active Application Filing
- 2009-05-27 JP JP2011511784A patent/JP5511097B2/ja not_active Expired - Fee Related
- 2009-05-27 CN CN200980119523.5A patent/CN102047260B/zh active Active
Non-Patent Citations (1)
Title |
---|
None * |
Also Published As
Publication number | Publication date |
---|---|
CN102047260B (zh) | 2015-08-05 |
EP2310974A2 (de) | 2011-04-20 |
US8732825B2 (en) | 2014-05-20 |
JP5511097B2 (ja) | 2014-06-04 |
WO2009154992A2 (en) | 2009-12-23 |
US20090300761A1 (en) | 2009-12-03 |
WO2009154992A3 (en) | 2010-02-11 |
JP2011523748A (ja) | 2011-08-18 |
CN102047260A (zh) | 2011-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2310974B1 (de) | Intelligente hashes für zentralisierte schadsoftware-detektion | |
US11068588B2 (en) | Detecting irregularities on a device | |
US8239944B1 (en) | Reducing malware signature set size through server-side processing | |
US9246931B1 (en) | Communication-based reputation system | |
US8095964B1 (en) | Peer computer based threat detection | |
US8365283B1 (en) | Detecting mutating malware using fingerprints | |
US8850570B1 (en) | Filter-based identification of malicious websites | |
Vinod et al. | Survey on malware detection methods | |
US7640589B1 (en) | Detection and minimization of false positives in anti-malware processing | |
US8239948B1 (en) | Selecting malware signatures to reduce false-positive detections | |
US8381289B1 (en) | Communication-based host reputation system | |
US8266698B1 (en) | Using machine infection characteristics for behavior-based detection of malware | |
US8572740B2 (en) | Method and system for detection of previously unknown malware | |
US8819835B2 (en) | Silent-mode signature testing in anti-malware processing | |
EP2486507B1 (de) | Erkennung von schadprogrammen mittels anwendungsüberwachung | |
JP5961183B2 (ja) | 文脈上の確からしさ、ジェネリックシグネチャ、および機械学習法を用いて悪意のあるソフトウェアを検出する方法 | |
US8312537B1 (en) | Reputation based identification of false positive malware detections | |
US8726391B1 (en) | Scheduling malware signature updates in relation to threat awareness and environmental safety | |
US9147073B2 (en) | System and method for automatic generation of heuristic algorithms for malicious object identification | |
US20110041179A1 (en) | Malware detection | |
RU2624552C2 (ru) | Способ обнаружения вредоносных файлов, исполняемых с помощью стековой виртуальной машины | |
Bakour et al. | A deep camouflage: evaluating android’s anti-malware systems robustness against hybridization of obfuscation techniques with injection attacks | |
US20230100947A1 (en) | Automated Identification of Malware Families Based on Shared Evidences | |
JP2016525750A (ja) | 合法的オブジェクトの誤用の識別 | |
Stokes et al. | Scalable telemetry classification for automated malware detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20101217 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA RS |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20131216 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 602009044498 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: G06F0021000000 Ipc: G06F0021560000 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: G06F 21/56 20130101AFI20161005BHEP |
|
INTG | Intention to grant announced |
Effective date: 20161019 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP Ref country code: AT Ref legal event code: REF Ref document number: 872124 Country of ref document: AT Kind code of ref document: T Effective date: 20170315 |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602009044498 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 9 |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20170301 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG4D |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 872124 Country of ref document: AT Kind code of ref document: T Effective date: 20170301 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170601 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170602 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170531 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170601 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170703 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170701 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602009044498 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 |
|
26N | No opposition filed |
Effective date: 20171204 |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: MM4A |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170531 Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170531 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170527 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 10 |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20170531 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170527 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170531 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MT Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170527 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO Effective date: 20090527 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20190419 Year of fee payment: 11 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CY Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20170301 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20190423 Year of fee payment: 11 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R082 Ref document number: 602009044498 Country of ref document: DE Ref country code: DE Ref legal event code: R082 Ref document number: 602009044498 Country of ref document: DE Representative=s name: BOSCH JEHLE PATENTANWALTSGESELLSCHAFT MBH, DE |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R081 Ref document number: 602009044498 Country of ref document: DE Owner name: CA, INC., SAN JOSE, US Free format text: FORMER OWNER: SYMANTEC CORP., MOUNTAIN VIEW, CALIF., US |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20170301 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R082 Ref document number: 602009044498 Country of ref document: DE Representative=s name: BOSCH JEHLE PATENTANWALTSGESELLSCHAFT MBH, DE |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: 732E Free format text: REGISTERED BETWEEN 20200730 AND 20200805 |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20200527 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200531 Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200527 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20240510 Year of fee payment: 16 |